魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2022-05-27 19:10:59 2022-05-27 19:13:10 131 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2022-05-27 19:11:02 2022-05-27 19:13:10
魔盾分数

8.086

恶意的

文件详细信息

文件名 IDM_v6.40_Patch_2.5_PieNGril.exe
文件大小 621568 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 94D9010B
MD5 cf4357b99b8e72adcadf5c2d9ebbdd78
SHA1 fe8dcf1dec740092ef725374bc4ec46e45387f94
SHA256 98a1f200eaff0c4dc0ee7086a1b072c36a9168b8972a64fbc77a122b15353275
SHA512 74e29c6234527ee62497d67a39fda1e150c836a71803b0b7c8c4c33478f559ab8788339099caa3a5e1ffdf7e255a8329d55016125c5aa3cfce32a8d27f974289
Ssdeep 12288:HjvIkgEtSiVo9posdRWsJUwGpTC3RasBCkdb75w5w:DgStJo9pmohaynd5wa
PEiD 无匹配
Yara
  • win_files_operation (Affect private profile)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal VirusTotal查询失败

特征

通过进程尝试延迟分析任务
Process: IDM_v6.40_Patch_2.5_PieNGril.exe tried to sleep 102 seconds, actually delayed analysis time by 0 seconds
魔盾安全Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: .rsrc, entropy: 7.54, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00097000, virtual_size: 0x00096f56
检测到样本尝试模糊或欺骗文件类型

运行截图

网络分析

TCP连接

IP地址 端口
172.232.44.32 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0040102b
声明校验值 0x000998ad
实际校验值 0x000998ad
最低操作系统版本要求 5.0
编译时间 2012-12-22 04:59:46
载入哈希 dc73a9bd8de0fd640549c85ac4089b87

版本信息

LegalCopyright: CrackingCity
FileVersion: 2.5
CompanyName: PileNGril
Comments: This Patch was built with dUP2.
ProductName: Internet Download Manager
ProductVersion: 6.40
FileDescription: IDM 6.40+ Patch / CrackingCity Technique
Translation: 0x0000 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000001f6 0x00000200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.06
.rdata 0x00002000 0x000001d8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.27
.data 0x00003000 0x00000034 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.57
.rsrc 0x00004000 0x00096f56 0x00097000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.54
.reloc 0x0009b000 0x00000052 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.74

导入

库 kernel32.dll:
0x402000 - DeleteFileA
0x402004 - ExitProcess
0x402008 - FindResourceA
0x40200c - FreeLibrary
0x402010 - GetModuleHandleA
0x402014 - GetProcAddress
0x402018 - GetTempPathA
0x40201c - LoadLibraryA
0x402020 - LoadResource
0x402024 - RtlMoveMemory
0x402028 - SizeofResource
0x40202c - VirtualAlloc
0x402030 - lstrcatA
0x402034 - CloseHandle
0x402038 - CreateFileA
0x40203c - FlushFileBuffers
0x402040 - WriteFile

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

IDM_v6.40_Patch_2.5_PieNGril.exe PID: 2460, 上一级进程 PID: 2244

访问的文件
  • C:\Users\test\AppData\Local\Temp\dup2patcher.dll
  • C:\Users\test\AppData\Local\Temp\IDM_v6.40_Patch_2.5_PieNGril.exe.Local\
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\bassmod.dll
  • C:\Users\test\AppData\Local\Temp\WINMM.dll
  • C:\Windows\System32\winmm.dll
  • C:\Users\test\AppData\Local\Temp\
  • \Device\KsecDD
读取的文件
  • C:\Users\test\AppData\Local\Temp\dup2patcher.dll
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\bassmod.dll
  • C:\Windows\System32\winmm.dll
  • \Device\KsecDD
修改的文件
  • C:\Users\test\AppData\Local\Temp\dup2patcher.dll
  • C:\Users\test\AppData\Local\Temp\bassmod.dll
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\IDM_v6.40_Patch_2.5_PieNGril.exe
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Verdana
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DRIVERS32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
  • HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
  • HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
  • HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.FindFirstFileA
  • kernel32.dll.GetStdHandle
  • kernel32.dll.WriteFile
  • kernel32.dll.FlushFileBuffers
  • kernel32.dll.CompareStringA
  • kernel32.dll.CreateDirectoryA
  • kernel32.dll.GlobalAlloc
  • kernel32.dll.GlobalLock
  • kernel32.dll.GlobalUnlock
  • kernel32.dll.FindClose
  • kernel32.dll.lstrlenW
  • kernel32.dll.lstrlenA
  • kernel32.dll.lstrcpyA
  • kernel32.dll.lstrcmpiA
  • kernel32.dll.lstrcmpA
  • kernel32.dll.lstrcatA
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.WaitForSingleObject
  • kernel32.dll.VirtualFree
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.UnmapViewOfFile
  • kernel32.dll.CloseHandle
  • kernel32.dll.CopyFileA
  • kernel32.dll.CreateFileA
  • kernel32.dll.CreateFileMappingA
  • kernel32.dll.CreateProcessA
  • kernel32.dll.CreateThread
  • kernel32.dll.DeleteFileA
  • kernel32.dll.ExpandEnvironmentStringsA
  • kernel32.dll.FindResourceA
  • kernel32.dll.FreeLibrary
  • kernel32.dll.GetCommandLineA
  • kernel32.dll.GetCurrentDirectoryA
  • kernel32.dll.GetFileAttributesA
  • kernel32.dll.GetFileSize
  • kernel32.dll.GetFileTime
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.GetProcAddress
  • kernel32.dll.GetSystemInfo
  • kernel32.dll.GetTempPathA
  • kernel32.dll.GetVersionExA
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.LoadResource
  • kernel32.dll.MapViewOfFile
  • kernel32.dll.MoveFileA
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.RtlMoveMemory
  • kernel32.dll.RtlZeroMemory
  • kernel32.dll.SetCurrentDirectoryA
  • kernel32.dll.SetEndOfFile
  • kernel32.dll.SetEnvironmentVariableA
  • kernel32.dll.SetFileAttributesA
  • kernel32.dll.SetFilePointer
  • kernel32.dll.SetFileTime
  • kernel32.dll.SizeofResource
  • kernel32.dll.Sleep
  • advapi32.dll.RegSetValueExA
  • advapi32.dll.RegDeleteValueA
  • advapi32.dll.RegCreateKeyExA
  • advapi32.dll.RegOpenKeyExA
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegCloseKey
  • comdlg32.dll.GetOpenFileNameA
  • comdlg32.dll.GetSaveFileNameA
  • gdi32.dll.BitBlt
  • gdi32.dll.CreateCompatibleBitmap
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.CreateDIBSection
  • gdi32.dll.CreateFontIndirectA
  • gdi32.dll.CreateSolidBrush
  • gdi32.dll.ExtCreateRegion
  • gdi32.dll.GetStockObject
  • gdi32.dll.GetTextExtentPointA
  • gdi32.dll.AddFontResourceA
  • gdi32.dll.TextOutA
  • gdi32.dll.SetTextColor
  • gdi32.dll.SetBkMode
  • gdi32.dll.SetBkColor
  • gdi32.dll.SelectObject
  • gdi32.dll.RoundRect
  • gdi32.dll.RemoveFontResourceA
  • shell32.dll.ShellExecuteA
  • shell32.dll.ShellExecuteExA
  • user32.dll.ShowWindow
  • user32.dll.SetWindowTextA
  • user32.dll.SetWindowRgn
  • user32.dll.SetWindowPos
  • user32.dll.TrackPopupMenu
  • user32.dll.SetTimer
  • user32.dll.SetFocus
  • user32.dll.SetDlgItemTextA
  • user32.dll.SetClassLongA
  • user32.dll.UpdateWindow
  • user32.dll.SetWindowLongA
  • user32.dll.SetCapture
  • user32.dll.SendMessageA
  • user32.dll.ReleaseCapture
  • user32.dll.RegisterClassExA
  • user32.dll.RedrawWindow
  • user32.dll.PtInRect
  • user32.dll.OffsetRect
  • user32.dll.MessageBoxA
  • user32.dll.LoadStringA
  • user32.dll.LoadIconA
  • user32.dll.LoadCursorA
  • user32.dll.LoadBitmapA
  • user32.dll.IsDlgButtonChecked
  • user32.dll.InvalidateRect
  • user32.dll.IntersectRect
  • user32.dll.GetWindowRect
  • user32.dll.GetWindowLongA
  • user32.dll.GetSystemMetrics
  • user32.dll.CloseClipboard
  • user32.dll.EmptyClipboard
  • user32.dll.OpenClipboard
  • user32.dll.SetClipboardData
  • user32.dll.GetClientRect
  • user32.dll.MoveWindow
  • user32.dll.GetSysColor
  • user32.dll.GetParent
  • user32.dll.GetKeyState
  • user32.dll.GetDlgItemTextA
  • user32.dll.GetDlgItem
  • user32.dll.GetDlgCtrlID
  • user32.dll.GetDC
  • user32.dll.GetCursorPos
  • user32.dll.GetCapture
  • user32.dll.GetActiveWindow
  • user32.dll.EndDialog
  • user32.dll.EnableWindow
  • user32.dll.DrawTextA
  • user32.dll.DialogBoxParamA
  • user32.dll.DefWindowProcA
  • user32.dll.CreateWindowExA
  • user32.dll.CreatePopupMenu
  • user32.dll.CheckDlgButton
  • user32.dll.CallWindowProcA
  • user32.dll.AppendMenuA
  • dup2patcher.dll.load_patcher
  • kernel32.dll.AttachConsole
  • comctl32.dll.RegisterClassNameW
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmReleaseContext
  • imm32.dll.ImmAssociateContext
  • imm32.dll.ImmIsIME
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegQueryValueExW
  • gdi32.dll.GetFontAssocStatus
  • advapi32.dll.RegEnumKeyExW
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.QueryPerformanceFrequency
  • kernel32.dll.DisableThreadLibraryCalls
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.DeleteCriticalSection
  • kernel32.dll.QueryPerformanceCounter
  • kernel32.dll.SetThreadPriority
  • kernel32.dll.GetCurrentThread
  • winmm.dll.waveOutSetVolume
  • winmm.dll.waveOutGetDevCapsA
  • winmm.dll.timeBeginPeriod
  • winmm.dll.timeEndPeriod
  • winmm.dll.waveOutGetPosition
  • winmm.dll.waveOutWrite
  • winmm.dll.timeGetTime
  • winmm.dll.waveOutGetNumDevs
  • winmm.dll.waveOutOpen
  • winmm.dll.waveOutClose
  • winmm.dll.waveOutPrepareHeader
  • winmm.dll.waveOutPause
  • winmm.dll.waveOutReset
  • winmm.dll.waveOutGetVolume
  • winmm.dll.waveOutUnprepareHeader
  • winmm.dll.waveOutRestart
  • msvcrt.dll._fileno
  • msvcrt.dll._CIpow
  • msvcrt.dll._CIexp
  • msvcrt.dll._strdup
  • msvcrt.dll._adjust_fdiv
  • msvcrt.dll._initterm
  • msvcrt.dll.fread
  • msvcrt.dll._wfopen
  • msvcrt.dll.fopen
  • msvcrt.dll.fseek
  • msvcrt.dll._filelength
  • msvcrt.dll.fclose
  • msvcrt.dll._ftol
  • msvcrt.dll.malloc
  • msvcrt.dll.strtol
  • msvcrt.dll.free
  • msvcrt.dll.rand
  • msvcrt.dll._beginthread
  • msvcrt.dll.realloc
  • bassmod.dll.BASSMOD_Init
  • bassmod.dll.BASSMOD_MusicFree
  • bassmod.dll.BASSMOD_MusicLoad
  • bassmod.dll.BASSMOD_MusicPlay
  • bassmod.dll.BASSMOD_Free
  • sechost.dll.OpenSCManagerW
  • sechost.dll.OpenServiceW
  • sechost.dll.QueryServiceStatus
  • sechost.dll.CloseServiceHandle
  • rpcrt4.dll.RpcStringBindingComposeW
  • rpcrt4.dll.RpcBindingFromStringBindingW
  • rpcrt4.dll.RpcStringFreeW
  • mmdevapi.dll.#3
  • rpcrt4.dll.NdrClientCall2
  • user32.dll.SetLayeredWindowAttributes
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • gdi32.dll.GdiIsMetaPrintDC